> And what should these precautions be?  If a malicious user can submit
> his own form and you are looking for a POST variable, how can you
> ensure that $admin came from your form and not that user's?  

The problem is when a cracker uses form variables in an attempt to set the
values of "flag" variables kept only in the session, for example, $isAdmin.
As far as the form variables *you* put in your form, it doesn't matter
whether the user submits your form or a form they made themselves. Those
form variables are just data you are trying to collect.

With register_globals on, PHP takes *all* variables (GET, POST, COOKIE)
received from the client and assigns them to global variables. So if the
user posts a value for $isAdmin, she can give herself admin privileges.

The key is to retrieve *only* the form variables *you* put in the form from
the the $_POST array. So don't write a loop and grab *everything* from that


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to